Geek Answers Handbook

AJAX call with REST endpoint secured with Thinktecture IdentityServer STS

I have some dramas that cause a call to the ServiceStack REST service that I protected with IdentityServer STS code.

I am making an AJAX call against a REST endpoint, and I'm not sure how to configure the login procedure to get a security token. The REST endpoint is in a different domain than the website making the call. The information that I have discovered so far, everything seems to revolve around the procedure when the client makes a call to a secure resource, receives a 302 redirect to the login page of the authentication system, and after successful authentication receives a 302 redirect either to the area or in response to depending on the configuration. I hooked it all right, and it works fine if I just look at REST services. However, with regard to my web application, AJAX and 302s are not exactly best friends, so ideally I would like me to be a REST endpoint from the same ServiceStack website,which takes a username and password and returns a security token without complicating any redirects (I will handle 401 redirects in my web application itself, which I will receive when I disable passiveRedirectEnabled in web.config). Any thoughts on how this can be achieved with IdentityServer?

Cheers, Clint.

+4
source share
2 answers

Completing a response with a full REST endpoint:

In the ServiceStack web application:

Go to the entry endpoint in AppHost.cs with something like:

public override void Configure(Container container)
{
    Routes.Add<Logon>("/logon", "POST");
}

Then there is a simple username / password Request DTO

public class Logon
{
    public string UserName { get; set; }
    public string Password { get; set; }
}

And the answer is DTO

The DTO response should only handle POST - yes, you can add the URL / password as parameters in the URL for the GET request, but this does not look like it is recommended. In fact, you probably usually put this information in the authorization header of the HTTP request, but that makes your work in ServiceStack a bit more complicated.

public class LogonService : Service
{
    public object Post(Logon request)
    {
        var securityToken = GetSaml2SecurityToken(request.UserName, request.Password, "https://myserver/identityserverwebapp/issue/wstrust/mixed/username", "http://myserver/servicestackwebapp/");

        return SerializeRequestSecurityTokenResponse(securityToken);
    }

    private RequestSecurityTokenResponse GetSaml2SecurityToken(string username, string password, string endpointAddress, string realm)
    {
        var factory = new WSTrustChannelFactory(new UserNameWSTrustBinding(SecurityMode.TransportWithMessageCredential),
            new EndpointAddress(endpointAddress))
        {
            TrustVersion = TrustVersion.WSTrust13
        };

        factory.Credentials.UserName.UserName = username;
        factory.Credentials.UserName.Password = password;

        var channel = (WSTrustChannel)factory.CreateChannel();
        RequestSecurityTokenResponse requestSecurityTokenResponse;

        channel.Issue(new RequestSecurityToken
        {
            TokenType = "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0",
            AppliesTo = new EndpointReference(realm),
            RequestType = RequestTypes.Issue,
            KeyType = KeyTypes.Bearer,
        }, out requestSecurityTokenResponse);

        return requestSecurityTokenResponse;
    }

    private string SerializeRequestSecurityTokenResponse(RequestSecurityTokenResponse requestSecurityTokenResponse)
    {
        var serializer = new WSTrust13ResponseSerializer();
        var context = new WSTrustSerializationContext(FederatedAuthentication.FederationConfiguration.IdentityConfiguration.SecurityTokenHandlerCollectionManager);
        var stringBuilder = new StringBuilder(128);

        using (var writer = XmlWriter.Create(new StringWriter(stringBuilder), new XmlWriterSettings { OmitXmlDeclaration = true}))
        {
            serializer.WriteXml(requestSecurityTokenResponse, writer, context);
            writer.Flush();
            return stringBuilder.ToString();
        }
    }
}

The ServiceStack Web.config web application should look something like this:

<?xml version="1.0"?>
<configuration>
  <configSections>
    <section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
    <section name="system.identityModel.services" type="System.IdentityModel.Services.Configuration.SystemIdentityModelServicesSection, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
  </configSections>
  <location path="FederationMetadata">
    <system.web>
      <authorization>
        <allow users="*" />
      </authorization>
    </system.web>
  </location>
  <!-- to allow the logon route without requiring authentication first. -->
  <location path="logon">
    <system.web>
      <authorization>
        <allow users="*" />
      </authorization>
    </system.web>
  </location>
  <system.web>
    <httpHandlers>
      <add path="*" type="ServiceStack.WebHost.Endpoints.ServiceStackHttpHandlerFactory, ServiceStack" verb="*" />
    </httpHandlers>
    <compilation debug="true" />
    <authentication mode="None" />
    <authorization>
      <deny users="?" />
    </authorization>
    <httpRuntime targetFramework="4.5" requestValidationMode="4.5" />
  </system.web>
  <system.webServer>
    <modules runAllManagedModulesForAllRequests="true">
        <add name="WSFederationAuthenticationModule" type="System.IdentityModel.Services.WSFederationAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
        <add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
    </modules>
    <validation validateIntegratedModeConfiguration="false" />
    <handlers>
      <add path="*" name="ServiceStack.Factory" type="ServiceStack.WebHost.Endpoints.ServiceStackHttpHandlerFactory, ServiceStack" verb="*" preCondition="integratedMode" resourceType="Unspecified" allowPathInfo="true" />
    </handlers>
  </system.webServer>
  <system.identityModel>
    <identityConfiguration>
      <audienceUris>
        <add value="http://myserver/servicestackwebapp/" />
      </audienceUris>
      <issuerNameRegistry type="System.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
        <trustedIssuers>
          <add thumbprint="B6E05E14243FB7D76D5B660532520FB94679AA01" name="http://mycertificatefriendlyname" />
        </trustedIssuers>
      </issuerNameRegistry>
      <certificateValidation certificateValidationMode="None" />
      <securityTokenHandlers>
        <securityTokenHandlerConfiguration saveBootstrapContext="true" />
      </securityTokenHandlers>
    </identityConfiguration>
  </system.identityModel>
  <system.identityModel.services>
    <federationConfiguration>
      <cookieHandler requireSsl="false" />
      <wsFederation passiveRedirectEnabled="false" issuer="https://myserver/identityserverwebapp/issue/wsfed" realm="http://myserver/servicestackwebapp/" requireHttps="false" />
    </federationConfiguration>
  </system.identityModel.services>
</configuration>

, , Javascript REST, servicestackwebapp, , , - FedAuth , .

$.ajax({
    type: "POST",
    url: "/servicestackwebapp/logon",
    dataType: "text",
    data: { UserName: "myuser", Password: "mypassword" },
    success: function (data) {
        $.ajax({
            type: "POST",
            url: "/servicestackwebapp/",
            data: "wa=wsignin1.0&wresult=" + encodeURIComponent(data)
        });
    }
});

, , HTTP HTTPS - , , HTTP.

, , : http://msdn.microsoft.com/en-us/library/hh446531.aspx ... , , , - Microsoft - , - - SAML () .

+5

:

REST, WS-Trust, IdentityServer . .NET 4.5 Thinktecture.IdentityModel, UserNameWSTrustBinding System.IdentityModel: .NET 4.5, UserNameWSTrustBinding?

SAML2 :

    private SecurityToken GetSamlSecurityToken(string username, string password, string endpointAddress, string realm)
    {
        var factory = new WSTrustChannelFactory(new UserNameWSTrustBinding(SecurityMode.TransportWithMessageCredential),
            new EndpointAddress(endpointAddress))
        {
            TrustVersion = TrustVersion.WSTrust13
        };

        factory.Credentials.UserName.UserName = username;
        factory.Credentials.UserName.Password = password;

        var channel = factory.CreateChannel();

        var securityToken = channel.Issue(new RequestSecurityToken
        {
            TokenType = "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0",
            AppliesTo = new EndpointReference(realm),
            RequestType = RequestTypes.Issue,
            KeyType = KeyTypes.Bearer,
        });

        return securityToken;
    }

, endpointAddress :

https://myserver/identityserverapp/issue/wstrust/mixed/username

:

    private string SerializeSecurityToken(SecurityToken securityToken)
    {
        var serializer = new WSSecurityTokenSerializer();
        var stringBuilder = new StringBuilder();

        using (var writer = XmlWriter.Create(new StringWriter(stringBuilder)))
        {
            serializer.WriteToken(writer, securityToken);
            return stringBuilder.ToString();
        }
    }

, - cookie FedAuth, , , -.

, . !

+2

More articles:


All Articles